What is the EU Cookie Law?

The EU leads the world in consumer privacy empowerment and personal data protection. Cookie law generally refers to the ePrivacy Directive and GDPR, the two laws in the EU that bolster cookie-related consent and preference management. These laws apply across member states in all organizations that deal with the personal data of EU citizens, regardless of their location. With different scopes and requirements, these two laws together form a comprehensive data protection framework and aim to protect the online privacy and personal data of EU individuals.

What are the requirements of the EU Cookie Law?

ePrivacy Directive

ePrivacy Directive requires organizations to be transparent about their data utility practices. It puts users in control of their data and helps them make informed decisions about whether or not they consent to the use of cookies. This law was passed in 2002, amended in 2008, and came into effect in 2011 as a supplement to the Data Privacy Directive to address privacy concerns related to cookies and other electronic tracking technologies, such as SMS, instant messaging, emails, etc.

It sets out the following key principles for consent:

• Obtaining prior cookie consent from users before collecting sensitive information through cookies;
• Providing users with clear and comprehensive information in relation to the use of cookies in a transparent and concise manner;
• Enabling users to refuse or consent to the use of non-essential cookies through the use of a cookie consent banner or pop-up message, including the ability to revoke their consent at will;
• Inscribing a link to the privacy policy (including cookie policy) of the website in the banner to inform users of (how, why, and what) data is collected, used, stored, and shared, including the legal basis for processing data and rights they can exercise;
• Ensuring adequate security measures are in place to safeguard the confidentiality and integrity of cookies against unauthorized access or misuse.

In 2017, the EU proposed the ePrivacy Regulation (ePR) to replace the existing ePrivacy Directive. Currently being debated, the ePR will likely introduce new rules governing user consent, online tracking, and cookies. Unlike the ePrivacy Directive, the ePrivacy Regulation will not allow websites to use ‘legitimate interest’ as the basis for data collection. Additionally, it will include provisions for metadata, which include information about the timing, duration, and location of electronic communications.

Cookies and GDPR

GDPR (General Data Protection Regulation) came into effect in 2018. Compared to the ePrivacy Directive, the GDPR has broader applicability and applies to organizations that process the personal data of EU residents regardless of the industry, sector, or location. Additionally, GDPR restricts websites from disallowing access based on users’ consent to the use of cookies. This means website operators can’t make it conditional to access their website. On top of it, the GDPR imposes non-compliance penalties of up to 4% of annual global revenue or €20 million, whichever is higher. With a few exceptions, both laws have similar cookie-related clauses and emphasize transparency and accountability equally, requiring websites to provide users with detailed information about their data processing activities.

Types of Cookies

Cookies can typically be classified in three ways: by their purpose, duration, and provenance.

Cookies serve four main purposes on websites:

• Strictly necessary cookies: These are vital for website browsing and feature usage. Usually first-party session cookies, consent for these isn’t required, but their necessity should be explained to users.
• Preference (or functionality) cookies: These allow websites to remember past choices, such as language preferences or login credentials, which users will have to consent to.
• Statistics (or performance) cookies: These gather data on website usage, like visited pages or clicked links, to enhance website functionality. The data collected is anonymized and aggregated, usually through third-party analytics services, though still requires consent.
• Marketing cookies: These track online activities to tailor advertisements or control ad exposure. They are typically persistent and third-party cookies which must be consented to.

Cookies can be either temporary session cookies or persistent cookies:

• Session cookies: Temporary and expire once the browser is closed.
• Persistent cookies: Remain on a user’s hard drive or browser until manually erased. They have an expiration date, usually within 12 months according to the ePrivacy Directive, but may persist longer if not removed.

Cookies can also be classified based on their provenance:

• First-party cookies: Directly placed on a device or browser by the website itself.
• Third-party cookies: Set by entities other than the website being visited, such as advertisers or analytics systems.

EU Cookie Law Compliance

Who needs to comply with EU Cookie Law?

The EU Cookie Law, officially known as the ePrivacy Directive, applies to a wide range of entities operating within the European Union (EU) or targeting EU residents. Primarily, this law necessitates compliance from website operators and online service providers that collect or store information through cookies or similar technologies on users’ devices. Whether the organization is a commercial entity, a nonprofit organization, or a public sector body, if it operates within the EU or caters to EU residents, it must adhere to the provisions outlined in the EU Cookie Law.

Additionally, entities that utilize cookies for tracking, advertising, or other purposes fall under the purview of the ePrivacy Directive. This includes not only website owners and operators but also third-party services involved in website analytics, advertising networks, and social media platforms. Essentially, any entity that employs cookies to monitor user behavior, personalize content, or deliver targeted advertisements within the EU is required to comply with the EU Cookie Law. Compliance involves obtaining user consent before setting cookies, providing clear and comprehensive cookie notices, and offering users mechanisms to manage their cookie preferences.

Does EU cookie law apply to US websites?

The EU Cookie Law can apply to websites based outside the European Union (EU), including those in the United States. The law applies to any website that targets EU residents or collects and processes their personal data, regardless of where the website is physically located. If a US-based website offers goods or services to EU consumers or tracks the online behavior of EU users using cookies or similar technologies, it must comply with the EU Cookie Law.

The territorial scope of the Cookie Law (ePrivacy Directive) and the GDPR differs significantly. The ePrivacy Directive pertains specifically to organizations processing personal data within the European Union (EU) and providing services via electronic communication. GDPR, however, has a much broader reach, applying to all companies and organizations worldwide, irrespective of their location, if they offer goods or services to EU consumers or collect and process personal data of EU website users.

Consequently, a US-based company that does not engage in any business activities with EU residents is not obligated to comply with the EU Cookie Law. However, if a US-based company conducts business with EU residents and collects or processes their personal data, it falls under the jurisdiction of the EU Cookie Law. All other US-based businesses will be covered by similar US cookie laws.

How to comply with the EU Cookie Law

There are several key steps to ensure adherence to EU Cookie Law, encompassing the ePrivacy Directive and GDPR. First, obtaining user consent before setting cookies is paramount. Websites must implement mechanisms to obtain explicit consent from visitors. This is typically through a cookie consent banner or pop-ups, informing the users of the types of cookies being used and their purposes. Users should have the option to accept or decline cookies based on clear and comprehensive information provided by the website.

Additionally, providing users with accessible tools to manage their cookie preferences is essential. Websites should offer users the ability to adjust cookie settings, such as opting in or out of specific cookie categories. Websites must also maintain a transparent cookie policy. This includes detailed information about the types of cookies used, their purposes, and how users can adjust their cookie preferences in easily accessible privacy notices or cookie policies.

When should a user’s consent be obtained?

Under EU Cookie Laws, consent must be obtained before setting cookies or similar tracking technologies on users’ devices or browsers. This consent is necessary regardless of whether the cookies collect personal data or not. The requirement for obtaining consent applies when users first visit a website and before any cookies are placed on their device or browser, via either cookie banners or pop-ups.

What happens if a user opts out?

With current EU regulation, if a user opts out or rejects cookies, websites are required to respect their preferences and refrain from setting cookies on their device or browser, except for strictly necessary cookies. Strictly necessary cookies, which are essential for website functionality and user experience, may be exempt from the requirement for user consent. However, for all other types of cookies, including those used for analytics, advertising, or personalization, websites must honor the user’s choice to opt-out and refrain from setting these cookies unless explicit consent is obtained.

Additionally, websites should provide users with alternative means to access the website’s content or services if they choose to opt out of cookies. This ensures that users who opt out of cookies are not unfairly disadvantaged or prevented from accessing essential website features. Failure to respect user preferences and comply with the EU Cookie Law can result in penalties and fines imposed by EU regulatory authorities. Therefore, it is essential for websites to implement mechanisms to honor user cookie preferences and ensure compliance with the law.